Netwrix 1Secure delivers unified visibility across data and identity — free for 14 days with full access. Start a free trial

Resource centerBlog
Defense wins championships: Why cybersecurity is a team sport

Defense wins championships: Why cybersecurity is a team sport

Jun 26, 2026

Unknown block type "undefined", specify a component for it in the `components.types` option

The World Cup is here.

2026. US, Mexico, Canada. If you’ve ever stood in a stadium during a knockout match, or watched one with people who actually care, you know there’s nothing quite like it. You’re watching 22 players make split-second decisions in real time, knowing the whole thing can turn on one moment you didn’t see coming.

As you can probably tell, I’m a fan. Actually, I’m more than just a fan. I’m a coach. Granted, it’s for an under-9 soccer (or football as the rest of the world calls it) team, but a coach nonetheless. I digress.

My point is, I think about soccer a lot. And the more I think about this summer, the more I keep coming back to one thing: soccer and cybersecurity are the same game.

On the pitch, you defend your colors, your team, and your crest. In security, you defend your data, your people, and your organization. From the outside, the stakes seem wildly different. But when you’re staring at a breach notification at 2 in the morning, they feel the same.

Built before kickoff

The reason soccer works as a metaphor for security is that the underlying logic is the same: defense is built before the attack, not assembled in response to it. That’s what a formation is for: it’s the shape a team strategically builds before kickoff to withstand pressure from attackers and drive itself forward.

Strong defensive teams don’t just react to attacks; they deny space before the ball arrives. Their shape compresses lanes, removes gaps, and makes attack options predictable.

That’s why even the best free-kick specialists rarely score from set pieces, when defenses are at their most organized. Instead, most goals come from the transitions, like when possession changes hands and the shape hasn’t had time to recover. When that happens, gaps in the defense get exposed and exploited. Not because your defenders weren’t good enough, but because their shape was broken.

Security architecture works the same way. Access controls, least-privilege policies, and configuration baselines aren’t things you put in place as a reaction to being attacked. They’re your defensive shape. And that shape gets tested by its own “transitions,” such as a new employee getting provisioned with more access than they need, an offboarding getting put off for weeks, or a merger closing before identity environments are reconciled. These are the moments when your shape is between states, and attackers are looking for exactly that window.

Soccer and security are both adversarial environments where timing often beats power. Opposing coaching staff study defensive tendencies before a match to recognize when it’s vulnerable, and attackers in security do the same. They read your environment before they move. The advantage goes to whoever finds the gaps first.

Unfortunately, most organizations don’t even know their own shape.

Tell me if this sounds familiar. You bought a credential vault, bolted on an EDR, layered in some PAM, and then brought in a DLP tool, but only after the audit findings came out. Each product was added as a response to whatever was on fire that quarter. And that’s because nobody ever sat you down and said, “okay, here’s your formation.”

So you end up with what we see in nearly every customer conversation: smart people, good tools, and positions on the field with nobody covering them.

A breach doesn’t mean your team was bad. Some of your players were even great. The problem was that you guarded one side of the field while keeping another open.

The formation

In soccer, formations affect everything. A team in a 4-3-3 plays a completely different game than a team in a 3-5-2. It’s the same eleven players, but in a totally different posture.

For security, I think the right shape is a 4-3-3, defensive variant. Here’s what that looks like:

Image

A keeper on credentials. A back four to give you depth where you need it most: endpoint behavior, least privilege, and the channels where data can slip through. Three in midfield to read access risk, track changes, and keep the directory clean. And a front line to govern identity and audit every action, with the platform acting as the playmaker: unified visibility across data and identity, so you can see the field before threats develop.

One formation, zero gaps. This covers the entire identity and data side of your environment, where most attacks find their way in.

What I’m asking you to do

As we’re all paying attention to the World Cup, I’m asking you to take a few minutes and think like a soccer coach. Pull out a piece of paper. Use the formation above as a guide and map out what each tool in your security stack is protecting. Be honest about your gaps.

That’s how you begin taking a good look at your risk posture. You find what nobody’s covering. And once you see it, you can start fixing it.

If you want to see the full formation laid out, with every position, every threat scenario, and every principle explained in more detail, head over to our Security XI page.

And on July 14, Netwrix CEO Grady Summers and former USMNT captain Claudio Reyna are running a webinar where they’ll walk through the whole thing live. Bring your hardest questions. The team’s counting on it.

Image
Register here

A back line can hold for 90 minutes and still lose to one missed assignment in stoppage time. You can have the shiniest tools and still get breached because one small thing went unmonitored.

Defense wins championships, not because it’s flashier than offense. It’s the opposite. Defense wins because it’s a system. One where every position is covered and every player knows exactly what they’re responsible for. Your security program should be no different.

Share on

Learn More

About the author

Asset Not Found

Ryan Oistacher

Director of Product Marketing

Ryan is a Product Marketing, Demand Generation, and New Business Development leader focused on growing and accelerating pipeline across direct and indirect sales channels. With a background in marketing research, enterprise technologies, and web analytics, Ryan is keen on using data to identify opportunities, baseline progress, and exceed targets. As a growth-driven product marketing leader, Ryan utilizes macro technology trends, KPIs, business cases, and relevant news events to align sales and marketing campaigns with IT buyer objectives.